Plan for the Worst, Hope for the Best: Why You Must Have a HIPAA Risk Assessment

“The single biggest and most common compliance weakness is the lack of a timely and thorough risk analysis.”

-Leon Rodriguez, former head of the U.S. Health and Human Services Office for Civil Rights

When the Office for Civil Rights (“OCR”) auditor drops by your health facility to ensure that you are complying with HIPAA, one thing is for certain: he will be asking to see your Risk Assessment. Do you have one? Is it completed? Has it been used to develop and implement appropriate policies and procedures?

Audit Risks Are Real

The OCR is cracking down on covered entities’ and business associates’ compliance with HIPAA. Audits are becoming commonplace and resulting in more and more providers being hit with fines and sanctions. You may think that even if you are subject to an audit, then penalty will be a slap on the wrist. Think again. The maximum penalty for a HIPAA violation is now $1.5 million. Maybe you are too small of a provider to be the target of an audit? Think again, again. In January of 2013, Hospice of North Idaho agreed to pay the Department of Health and Human Services (“HHS”) $50,000 to settle potential HIPAA violations stemming from a 2010 incident involving a stolen, unencrypted laptop. It was the first HIPAA breach settlement involving less than 500 people. The hospice did not have a risk assessment in place.

Risk Assessments Are Not Optional

A HIPAA risk assessment is a thorough investigation and analysis of areas where there is potential risk of violating HIPAA laws. A risk assessment is not optional and it is not just a checklist. Covered entities, and now business associates, are required to have an assessment done. Specifically, entities must:

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

These assessments are critical to compliance with the HIPAA Security Rule. An assessment should include questions addressing administrative, physical, and technical safeguards, and the Breach Notification Rule. Many assessments are created in the form of a table and not only analyze the level of the risk, but also whether there is a policy in place and who should be responsible for ensuring each provision is implemented.

Risk Assessments Are Just the First Step

Once your facility’s risk assessment is complete, then it and any relevant accompanying documents should be kept in your HIPAA security files. Assessing risks is only a first step. You must use the results of your risk assessment to develop and implement appropriate policies and procedures. The use of a privacy officer is highly recommended. Consider offering training to employees where a sign-in sheet is required and certifications are provided once training is complete. This kind of documentation will be very beneficial when the OCR auditor is at your door.

If you are a provider and would like help creating and implementing a HIPAA risk assessment, contact the health care attorneys at McBrayer, McGinnis, Leslie & Kirkland, PLLC. We are available to provide privacy and security training, along with a risk assessment tool which can be catered to individual providers. It is not a question of if there is a breach at your facility, but rather when. Let us help you be prepared.

This article is intended as a summary of state law and does not constitute legal advice.